Threat Actors Exploit ChatGPT and Grok Conversations to Deliver AMOS Stealer
The cybersecurity landscape has reached a critical juncture, marked by a sophisticated campaign that leverages the Atomic macOS Stealer (AMOS) through a deceptively simple vector, as identified by Huntress on December 5, 2025.
Conversations on AI platforms, including OpenAI’s ChatGPT and xAI’s Grok, have been manipulated to appear as trusted troubleshooting guides, surfacing via search engine optimization (SEO) to gain the trust of users.
This campaign is particularly alarming because it requires no malicious downloads, installer trojans, or traditional security warnings – just a search query, a click, and a copy-paste command.
The infection vector exploits the convergence of three trust mechanisms: search engine credibility, platform legitimacy, and AI-generated authority.
When users search for common macOS maintenance queries, such as “clear disk space on macOS,” highly ranked results direct them to ChatGPT and Grok conversations hosted on their respective legitimate domains.
These conversations present themselves as straightforward troubleshooting guides with professional formatting, numbered steps, and reassuring language about system safety.
However, the victim unknowingly triggers a multi-stage infection chain that silently harvests credentials, escalates privileges, and establishes persistent data exfiltration by executing the provided Terminal command.
AI-Powered Social Engineering
This represents a fundamental evolution in social engineering tradecraft, where attackers are no longer attempting to mimic trusted platforms but are actively weaponizing them through search result poisoning.
The malware no longer needs to masquerade as clean software when it can masquerade as help itself.
During the investigation, Huntress reproduced these poisoned results across multiple query variations, including “how to clear data on iMac,” “clear system data on iMac,” and “free up storage on Mac,” confirming that this is a deliberate, widespread campaign targeting common troubleshooting searches rather than an isolated incident.
The discovery of nearly addressed campaigns on both ChatGPT and Grok suggests systematic platform exploitation by a coordinated threat actor.
The technical sophistication behind AMOS deployment compounds the threat, with the initial command serving a bash script that requests the user’s system password under the guise of verification.
Rather than displaying a legitimate macOS authentication dialog, the script silently validates credentials using the dscl-authonly command, which confirms password correctness entirely in the background without any system UI prompts or Touch ID fallback options.
Once credentials are validated, the password is stored in plaintext and immediately weaponized through sudo -S, enabling complete administrative control without further user interaction.
The second stage involves downloading and installing the core stealer payload to a hidden directory (.helper) within the user’s home directory.
The malware then searches for legitimate cryptocurrency wallet applications, including Ledger Wallet and Trezor Suite, replacing them with trojanized versions that prompt users to re-enter seed phrases for purported security reasons.
Emerging AI-Driven Threat Vectors
Simultaneously, the stealer maintains comprehensive data harvesting capabilities targeting cryptocurrency wallets, browser credential databases, macOS user Keychain entries, and sensitive files across the filesystem.
Persistence proves particularly insidious, with a LaunchDaemon plist executing a hidden AppleScript watchdog loop that runs continuously, checking every second which user maintains the active GUI session.
If the main.helper binary is killed or crashes, the watchdog automatically relaunches it within one second, ensuring continuous execution across reboots and manual termination attempts.
This campaign presents extraordinary detection challenges for defenders, as traditional signature-based approaches fail because the initial infection vector appears identical to legitimate administrative tasks.
Organizations must shift focus toward behavioral anomalies, monitoring osascript credential requests, unusual dscl-authonly usage, hidden executables in home directories, and processes executing under sudo with piped passwords.
End users face equally difficult circumstances, as the attack leverages existing trust directly, making it challenging to distinguish between legitimate and malicious activities.
As AI assistants become increasingly embedded in daily workflows and operating systems, this delivery method will inevitably proliferate, making it essential for organizations to recognize that platform trust does not automatically transfer to user-generated content.
The most dangerous exploits don’t target code anymore; they target behavior and our relationship with AI, which will determine whether defenses succeed or fail in 2025 and beyond.